Extend Your Global Privacy Strategy through Binding Corporate Rules
TRUSTe Binding Corporate Rules (BCR) Readiness Assessment is designed to:
- Help you understand if Binding Corporate Rules (BCR) are the right step for your company to meet international data transfer requirements;
- Map your corporate privacy program against the BCR requirements providing a clear gap analysis and recommendations on remediation to achieve compliance; and
- Combine with APEC Cross Border Privacy Rule Certification to meet global requirements
What are Binding Corporate Rules?
Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with Directive 95/46/EC. Currently, the most popular alternative to BCRs is the use of the model contractual clauses approved by the European Commission. However, in multinational companies with complex structures, there are drawbacks where hundreds of contracts may be required to cover transfers between all affiliates, and keeping those contracts up to date can be difficult and time consuming.
How Can the TRUSTe BCR Readiness Assessment Help Multinationals with Data Transfer Compliance Requirements?
With the current uncertainty over the future of U.S.-EU Safe Harbor, U.S. companies are looking at alternative routes to ensure the adequacy of their international data transfers. Binding Corporate Rules are one of the options available but companies don’t necessarily want to commit to BCRs without a clear idea of the process and costs involved. The TRUSTe BCR Readiness Assessment helps companies to quickly review whether BCRs are right for them and the necessary steps to achieve compliance with the requirements. The framework will help companies build their BCR application in a streamlined and consistent manner and assess cost implications in advance. This assessment draws on TRUSTe’s leading-edge privacy-technology solution Assessment Manager alongside experience in addressing corporate compliance around international data transfers through preparing companies to self-certify with U.S-EU Safe Harbor and as the Accountability Agent for the APEC Cross-Border Privacy Rules Framework.
BCR READINESS ASSESSMENT FEATURES
Our privacy consultants can conduct a BCR Readiness Assessment, in as little as 2 – 4 weeks, to quickly give you the information you need to assess where you stand and what next steps you need to take to prepare for BCR submission.
Discovery & Assessment
We first conduct discovery of your company’s existing policies, practices, and documentation relevant to a BCR application. We also conduct interviews to identify relevant personal data flows.
In addition to information gathered during discovery, we leverage information from your existing TRUSTe Enterprise, US-EU Safe Harbor, and APEC Assessments and Certifications.
We then assess your company against our BCR Readiness Assessment requirements, based on a combination of sources including the Article 29 Working Party papers (WP 74, WP 108, WP 133) and the Referential BCR CBPR Requirements (“Referential”).
Our privacy experts deliver a Findings Report that includes a summary of requirements that are met along with gaps and recommended action items, broken down by priority and level of effort. This can help you determine whether to continue with preparation for the BCR submission.
Should you decide to move forward with preparation, the Findings Report serves as a project plan of clearly defined steps. This can help you effectively direct internal resources as well as outside counsel or consultants on any necessary work, so you can stay in control of the scope and budget.
GuidanceTRUSTe privacy experts advise on how best to package existing documentation to streamline the BCR application process.
BCRs vs. MODEL CONTRACT CLAUSES
Several privacy compliance mechanisms are available to provide coverage across multiple regions. With some uncertainty around the US-EU / US-Swiss Safe Harbor Framework, companies are now looking to BCRs or Model Contract Clauses as potential solutions.
Each option has benefits and trade–offs that are important to weigh when selecting a mechanism that fits your needs.
Model Contract Clauses
|By leveraging already approved clauses, this option provides a means of implementing some level of protection||For many companies, hundreds of contracts may be required to cover transfers between all affiliates. Keeping those contracts up to date can be difficult and time consuming|
|Companies with small EU footprints may be able to execute in a short timeframe||Some EU member states require registration of the use of the model contract clauses so that its Data Protection Authority can verify that the usage is appropriate|
|May require substantial and recurring outside counsel spend to continually review / revise hundreds of contracts, and respond to requests|
|Provides a sustainable framework for a range of intra-group data transfers||Can be a lengthy process if there is still a lot of work to be done to implement company procedures that meet requirements|
|Helps achieve an elevated and consistent level of data protection compliance accountability by ensuring that all group entities work towards enhanced data handling standards||Lead DPA coordinates to gain approval from individual member country’s DPA through “Mutual Recognition” agreement, but it is a process to plan for|
|Strengthen an organization’s brand in the eyes of customers, third-parties and regulators||On-going compliance reviews require maintenance time|
|Reduces administrative complexity of model contract clauses|
|More comprehensive than EU Safe Harbor|
|With the clear initial authorization from all of the impacted EU member country DPAs, this mechanism reduces risks of potential regulatory action|
TRUSTe Privacy Professionals
TRUSTe Privacy Services are delivered by our Privacy Consultants and Privacy Services Managers, a team of recognized data privacy experts with significant experience conducting privacy assessments. Our team has a unique hybrid background of privacy, technology, business process, and project management experience. All are CIPP trained or certified, many have law degrees, and have hands-on experience working for a wide range of companies including Adobe, American Express, Citrix, Comcast, HSBC Bank, IBM, Kimberly-Clark, Microsoft, Pfizer, and many more.
Our privacy team leverages nearly 20 years experience delivering data privacy management solutions for thousands of global brands along with our comprehensive technology platform. We also have key regulatory relationships and are a leading provider of privacy services supporting regulatory and self-regulatory compliance programs for a wide range of agencies including APEC, DOC, DAA, EDAA, and FTC.
TRUSTe Technology Platform
Our Data Privacy Management Services leverage the TRUSTe Platform, a comprehensive, SaaS technology solution that provides state of the art assessment management, compliance control, and website scanning / monitoring capabilities.